As I understand it, every win32 executable starts with the same
byte-sequence. So, why not simply look for its Base64 encoding:
TVqQAAMA (at the start of a line after one blank line; case sensitive)
deny condition = ${if match{$message_body:} { TVqQAAMA}{yes}{no}}
message = This message appears to contain a Windows executable
There's 2 spaces before the TVqQAAMA - the first matches the blank line,
the second matches the newline. RTFM for $message_body.
This should catch any raw win32 executable. Plausible ?
--
Chris Edwards, Glasgow University Computing Service
